Validation of a location resource based on recipient access

ABSTRACT

Aspects of the present disclosure relate to a method, a system, and a computer program product for validating a location resource, e.g., a hyperlink, embedded in a message for one or more recipients. The method includes receiving, by a computing node in a distributed computing environment and from a messaging application on a remote client computer, an identifier of a user profile and a location resource. The location resource is embedded in a message and that indicates a path to a computing resource outside of the remote client computer. The method also includes querying a repository in the distributed computing environment to obtain access permission information about the location resource. The method also includes determining, based upon the access permission information about the location resource, whether the user profile has access permission for the location resource.

BACKGROUND

The present disclosure relates to exchanging a message between usersover a computer communications network, and more specifically, tovalidating location resources within messages for recipient access.

Messages are exchanged between users over communication networks. Someexamples of messages include electronic mail, instant messaging (IM),and Short Message Service (SMS), i.e., text messaging. Typically, emailsare composed and sent using a mail client application. A given emailmessage may include payload in the form of text or in-line figures, aswell as attachments (e.g., documents, pictures, video files). Further,the email message may include hyperlinks. As is known, a hyperlink is areference from one document (e.g., the email message) to another (e.g.,a web page). Generally, a hyperlink facilitates content browsing.Content browsing refers to the retrieval and presentation of electroniccontent via a client application, such as a Web browser. Generally,content may include electronic documents, graphical images, audio, andaudiovisual and video materials. Typically, content may be stored in aserver environment and published for access by content consumers over acomputer communications network such as the Internet. Content consumers,in turn, can retrieve content over the network by reference to a networkaddress for the content. Once retrieved, the content may be rendered bythe client application.

SUMMARY

Aspects of the present disclosure relate to a method, a system, and acomputer program product for validating a location resource, e.g., ahyperlink, embedded in a message for one or more recipients.

One embodiment relates to a method for validating the location resource.The method includes receiving, by a computing node in a distributedcomputing environment and from a messaging application on a remoteclient computer, an identifier of a user profile and a locationresource. The location resource is embedded in a message and thatindicates a path to a computing resource outside of the remote clientcomputer. The method also includes querying a repository in thedistributed computing environment to obtain access permissioninformation about the location resource. The method also includesdetermining, based upon the access permission information about thelocation resource, whether the user profile has access permission forthe location resource. The method also includes communicating the accesspermission for the location resource to the messaging application withinthe remote client computer in response to the user profile having accesspermission for the location resource.

Another embodiment relates to a system. The system includes a remoteclient computer. The remote client computer further includes a messagingapplication configured to send a message to one or more recipients witha location resource that is embedded in the message and that indicates apath to a computing resource outside of the remote client computer. Themessaging application is also configured to communicate, visually,access permission of a recipient for the location resource to a sender.The system also includes a distributed computing environment. Thedistributed computing environment includes a repository of the locationresource with access permission for a user profile associated with therecipient. The distributed computing environment also includes aprocessing engine, hosted by a computing node in the distributedcomputing environment. The processing engine is configured to receive,from the messaging application, the location resource and the userprofile associated with the recipient of the message. The processingengine is further configured to query, within a repository in thedistributed computing environment, the location resource. The processingengine is further configured to determine whether an identifier of theuser profile has access permission for the location resource. Theprocessing engine is further configured to communicate the accesspermission for the location resource to the messaging application inresponse to the user profile having access permission for the locationresource.

Yet another embodiment is directed towards a computer program product.The above summary is not intended to describe each illustratedembodiment or every implementation of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings included in the present application are incorporated into,and form part of, the specification. They illustrate embodiments of thepresent disclosure and, along with the description, serve to explain theprinciples of the disclosure. The drawings are only illustrative ofcertain embodiments and do not limit the disclosure.

FIG. 1 illustrates an operating environment, according to variousembodiments.

FIG. 2 illustrates a cloud computing environment, according to variousembodiments.

FIG. 3 illustrates a set of functional abstraction layers provided bythe cloud computing environment, according to various embodiments.

FIG. 4 illustrates a block diagram of a system for validating accesspermission of location resources for recipients of a message, accordingto various embodiments.

FIG. 5 illustrates a block diagram of a system describing theinteraction between the cloud-based computing system and thenetwork-based application, according to various embodiments.

FIG. 6 illustrates a flowchart of a method of validating a locationresource for a user profile associated with a recipient, according tovarious embodiments.

FIG. 7 illustrates a flowchart of a method for requesting accesspermission data for a user profile accessing a location resource,according to various embodiments.

FIG. 8 illustrates a graphical user interface for a messagingapplication, according to various embodiments.

While the invention is amenable to various modifications and alternativeforms, specifics thereof have been shown by way of example in thedrawings and will be described in detail. It should be understood,however, that the intention is not to limit the invention to theparticular embodiments described. On the contrary, the intention is tocover all modifications, equivalents, and alternatives falling withinthe spirit and scope of the invention.

DETAILED DESCRIPTION

Aspects of the present disclosure relate to exchanging a message betweenusers over a computer communications network, and more specifically, tovalidating a location resource within messages for recipient access. Alocation resource is a network resource on another server. The locationresource can indicate a path to a computing resource outside of a remoteclient computer. The location resource may be an address to access theresource. A common form of location resource is a hyperlink. Aspects ofthe present disclosure relate to validating that a recipient of amessage has access to the location resource, e.g., a hyperlink, embeddedin the message. The sender may view the recipients that have access tothe location resource prior to sending the message. The message may besent through a messaging application, e.g., e-mail program, Multi-MediaMessage Service (MMS), or Short Message Service (SMS).

The location resource, e.g., a hyperlink, can be validated using arepository within a cloud-based computing system. The cloud-basedcomputing system can access the repository and return data regarding theaccess permission of the recipient to the location resource. The accesspermission can be sent to the messaging application. The messagingapplication can visually indicate which recipient has access permissionto the location resource. While the present disclosure is notnecessarily limited to such applications, various aspects of thedisclosure may be appreciated through a discussion of various examplesusing this context.

With the advent of permission-based access control to hyperlinks, arecipient of a message may not have the same access permission for thehyperlink as the sender of the message. Furthermore, each recipient maynot have the same access permission as other recipients. Thus, it may beadvantageous for a sender to know which recipient will have access tothe hyperlink before the message is sent. It may also be advantageousfor a sender to know if there is an alternate hyperlink for therecipient.

An example of a hyperlink is a Uniform Resource Locator (URL). A URL isa string of characters used to identify or name a resource on a network,such as the Internet. A common way to identify a piece of contentavailable on a computer network such as the Internet is through anaddressing scheme including a protocol identifier such as “http”, aphysical server address such as “domain.com,” a file system address suchas “root/sub-level” and a file name such as “mypage.html” such that thecombined URL appears as “http://domain.tld/root/sub-level/mypage.html”(referring to the electronic document “mypage.html”). Further, manypieces of content included in a Web page, such as graphical images, mayeach be associated with and retrieved through a respective URL.

Activating a hyperlink in content in a content browser generally causescontent referenced by the hyperlink to be retrieved and displayed in theclient application. In some circumstances, activating the hyperlink canresult in launching a new client application (e.g., a word processorapplication) that can display or otherwise render the referencedcontent. Of note, hyperlinked content is not limited to textual content.For instance, hyperlinked content may include multimedia elements oreven files selected for download. Further, some advanced Webapplications utilize hyperlinks to initiate commands in a backendcomputing system such as initiation of a database query or submission ofa form.

It is understood in advance that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 1, a schematic of an example of a cloud computingnode is shown. Cloud computing node 10 is only one example of a suitablecloud computing node and is not intended to suggest any limitation as tothe scope of use or functionality of embodiments of the inventiondescribed herein. Regardless, cloud computing node 10 is capable ofbeing implemented and/or performing any of the functionality set forthhereinabove.

In cloud computing node 10 there is a computer system/server 12, whichis operational with numerous other general purpose or special purposecomputing system environments or configurations. Examples of well-knowncomputing systems, environments, and/or configurations that may besuitable for use with computer system/server 12 include, but are notlimited to, personal computer systems, server computer systems, thinclients, thick clients, hand-held or laptop devices, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, network PCs, minicomputer systems, mainframecomputer systems, and distributed cloud computing environments thatinclude any of the above systems or devices, and the like.

Computer system/server 12 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 12 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage devices.

As shown in FIG. 1, computer system/server 12 in cloud computing node 10is shown in the form of a general-purpose computing device. Thecomponents of computer system/server 12 may include, but are not limitedto, one or more processors or processing units 16, a system memory 28,and a bus 18 that couples various system components including systemmemory 28 to processor 16.

Bus 18 represents one or more of any of several types of bus structures,including a memory bus or memory controller, a peripheral bus, anaccelerated graphics port, and a processor or local bus using any of avariety of bus architectures. By way of example, and not limitation,such architectures include Industry Standard Architecture (ISA) bus,Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, VideoElectronics Standards Association (VESA) local bus, and PeripheralComponent Interconnect (PCI) bus.

Computer system/server 12 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 12, and it includes both volatileand non-volatile media, removable and non-removable media.

System memory 28 can include computer system readable media in the formof volatile memory, such as random access memory (RAM) 30 and/or cachememory 32. Computer system/server 12 may further include otherremovable/non-removable, volatile/non-volatile computer system storagemedia. By way of example only, storage system 34 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically called a “hard drive”). Although not shown, amagnetic disk drive for reading from and writing to a removable,non-volatile magnetic disk (e.g., a “floppy disk”), and an optical diskdrive for reading from or writing to a removable, non-volatile opticaldisk such as a CD-ROM, DVD-ROM or other optical media can be provided.In such instances, each can be connected to bus 18 by one or more datamedia interfaces. As will be further depicted and described below,memory 28 may include at least one program product having a set (e.g.,at least one) of program modules that are configured to carry out thefunctions of embodiments of the invention.

Program/utility 40, having a set (at least one) of program modules 42,may be stored in memory 28 by way of example, and not limitation, aswell as an operating system, one or more application programs, otherprogram modules, and program data. Each of the operating system, one ormore application programs, other program modules, and program data orsome combination thereof, may include an implementation of a networkingenvironment. Program modules 42 generally carry out the functions and/ormethodologies of embodiments of the invention as described herein.

Computer system/server 12 may also communicate with one or more externaldevices 14 such as a keyboard, a pointing device, a display 24, etc.;one or more devices that enable a user to interact with computersystem/server 12; and/or any devices (e.g., network card, modem, etc.)that enable computer system/server 12 to communicate with one or moreother computing devices. Such communication can occur via Input/Output(I/O) interfaces 22. Still yet, computer system/server 12 cancommunicate with one or more networks such as a local area network(LAN), a general wide area network (WAN), and/or a public network (e.g.,the Internet) via network adapter 20. As depicted, network adapter 20communicates with the other components of computer system/server 12 viabus 18. It should be understood that although not shown, other hardwareand/or software components could be used in conjunction with computersystem/server 12. Examples, include, but are not limited to: microcode,device drivers, redundant processing units, external disk drive arrays,RAID systems, tape drives, and data archival storage systems, etc.

Referring now to FIG. 2, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing devices used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 54A-N shownin FIG. 1 are intended to be illustrative only and that computing nodes10 and cloud computing environment 50 can communicate with any type ofcomputerized device over any type of network and/or network addressableconnection (e.g., using a web browser).

Referring now to FIG. 3, a set of functional abstraction layers providedby cloud computing environment 50 (FIG. 2) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 3 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide).

Virtualization layer 62 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients.

In one example, management layer 64 may provide the functions describedbelow. Resource provisioning provides dynamic procurement of computingresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and Pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provide pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

Workloads layer 66 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and user validation to virtual machines.

In various embodiments, the term distributed computing environmentrefers to the cloud computing environment 50 in FIG. 2. The term computenode may refer to the cloud computing node 10 in FIG. 1.

FIG. 4 illustrates a block diagram of a system 400 for validating accesspermission of location resources for recipients of a message, accordingto various embodiments. The system 400 can include a remote computingsystem 410, a cloud-based computing system 412, and one or morenetwork-based applications 414.

The remote computing system 410 can have a messaging application 418that creates a message. A sender may use the messaging application onthe remove computing system to send a message to one or more recipients.The message may include an embedded location resource. The locationresource refers to a network resource accessed by the remote computingsystem but external to the remote computing system. The locationresource can indicate a path to the network resource, e.g., a hyperlink,a file server path, or a Uniform Resource Locator (URL). The cloud-basedcomputing system 412 can validate the embedded location resource for therecipient. Each recipient of the message has a user profile. The userprofile contains one or more identifying factors, which are factors thatindicate an identity of an individual associated with the user profile.The cloud-based computing system can further validate the access byquerying information regarding access permission of the user profileassociated with the recipient to the embedded location resource.

If there is no access permission data, then the cloud-based computingsystem can request the access permission data for the recipient from anetwork-based application 414 through an Application ProgrammingInterface (API). The network-based application 414 may be external tothe cloud-based computing system 412. Once the recipient is found in thecloud-based computing system 412, then the cloud-based computing system412 communicates the access permission to the remote computing system410 where it is conveyed to the sender.

The request to validate an embedded location resource originates at theremote computing system 410. The remote computing system 410 is a devicethat performs computing operations and may run the messaging application418 either locally or part of local instance of a cloud-based computingsystem 412. The remote computing system 410 can be a mobile phone, alaptop computer, or a virtual machine from the cloud-based computingsystem. The remote computing system 410 can have a messaging application418 that provides messaging services such as Short Message Service(SMS), Multimedia Message Service (MMS), e-mail, instant messaging, etc.

The remote computing system 410 can include a monitoring engine 416 anda messaging application 418. A sender of the remote computing system 410interacts with a messaging application 418. The messaging application418 can have a graphical user interface. The graphical user interfacecan relay instructions from the user to the messaging application 418.The sender can use the messaging application to create a message to sendto one or more recipients. The message includes an embedded locationresource. A monitoring engine 416 checks the embedded location resourceto ensure that the location resource is working. In various embodiments,the monitoring engine can determine whether a request to a locationresource is received. If the location resource is not functional, e.g.,where the location resource is broken, then the monitoring engine 416can communicate to the messaging application 418 that the locationresource is non-functional. If the location resource is functional, thenthe monitoring engine 416 can communicate a request to validate theembedded location resource for each recipient with the cloud-basedcomputing system 412.

According to embodiments, the cloud-based computing system 412 cancorrespond to the cloud computing environment 50 in FIG. 2. Thecloud-based computing system 412 can configured to be a private orpublic cloud but for enhanced security, the cloud may be private. Thecloud-based computing system 412 may contain a repository 420 and aprocessing engine 422. The processing engine 422 may be hosted on one ormore compute nodes, e.g., the compute node 10 described in FIG. 1,within the cloud-based computing system 412. In various embodiments, theprocessing engine 422 can be located within the cloud-based computingsystem 412 for purposes of fast access. The processing engine 422 isresponsible for receiving the request to validate the embedded locationresource. The processing engine 422 can manage various validationfunctions. For example, the processing engine 422 can query therepository 420 for the embedded location resource information and therecipient. The repository 420 can be a cloud-based database in arelational format. In various embodiments, the repository 420 can be ahigh-speed database separate from a cloud-based computing system 412.

For each query, the processing engine 422 can retrieve data regardingaccess permission for a recipient. If the access permission data ispresent in the repository 420, the processing engine 422 can communicatethe access permission for the recipient to the user interface 418. Ifthe access permission data is not present in the repository, then theprocessing engine 422 can request for additional access permission datafrom the network-based application 414 or communicate to the remotecomputing system 410 that the access to the embedded location resourceis not validated.

Consistent with embodiments, the network-based application 414 may be anindependent third party application that neither the remote computingsystem 410 nor the cloud-based computing system 412 can control. Invarious embodiments, the network-based application 414 can be anexternal application from the messaging application 418. Thenetwork-based application 414 can also refer to an application that issegregated from the cloud-based computing system 412 and the messagingapplication 418. The network-based application 414 shares a relationshipwith the embedded location resource. For example, if the embeddedlocation resource is a URL of, https://{webname}.com/photos/johndoe,then the network-based application 414 can check if the recipient hasaccess to John Doe's photos. The network-based application 414 caninclude an API for {webname}.com. The network-based application 414 canuse a variety of methods to determine whether the recipient has accessto John Doe's photos. For example, if the a user name for {webname}.comis associated with the recipient, i.e., a common email address, then theAPI for {webname}.com can readily determine access permission.

If there is no username for {webname}.com, then the API may use a givenname such as “Jane Doe” to determine if a user of {webname}.com thatshares the name “Jane Doe” and that the user “Jane Doe” has access JohnDoe's photos. The network-based application 414 may use variousadministrative rules 424 and a private/public profile 426 to helpidentify the recipient. The administrative rules 424 may be a collectionof predefined rules or user preferences. For example, if accesspermission to John Doe's photos are queried, then the network-basedapplication 414 will return all of the users that are friends with JohnDoe. The private/public profile 426 can contain information unique to auser. For example, Jane Doe may be able to have her {webname}.com publicprofile accessed to determine whether there is a name associated withthe user profile but not her private profile which includes a telephonenumber.

In various embodiments, the network-based application 414 may not beconfigured for an external API. If the processing engine 422 does nothave communication with the network-based application 414 or cannotvalidate the access permission, e.g., due to insufficient accesspermission data, then the processing engine 422 may communicate the lackof communication with the remote computing system 410.

Once the network-based application 414 determines that there is accesspermission data associated with the recipient, then the processingengine 422 can update the repository with the updated access permissiondata. In various embodiments, the processing engine 422 can communicatethe new access permission data to the remote computing system 410. Ifthe recipient does not have access permission to the location resource,then the processing engine 422 may return an alternate locationresource. The alternate location resource is a location resource that isable to be accessed by a recipient. A recipient may not have accesspermission to access one location resource, e.g., because the recipientis not friends with a sender. The recipient may have access to thealternate location resource, e.g., because the content of the locationresource and alternate location resource has identical content and therecipient is friends with the alternate location resource owner. Invarious embodiments, the alternate location resource is provided to themessaging application 418 in response to the recipient not having accesspermission for the location resource. The alternate location resource isdescribed further herein.

FIG. 5 illustrates a block diagram of a system 500 describing theinteraction between the cloud-based computing system and thenetwork-based application, according to various embodiments. Elements insystem 500 may correspond to elements in FIG. 4. For example, therepository 520 corresponds to the repository 420 in FIG. 4, thecloud-based computing system 512 corresponds to cloud-based computingsystem 412, the network-based application 514 corresponds tonetwork-based application 414, and the processing engine 522 correspondsto processing engine 422. System 500 may describe an example of themanagement of access permission data by the processing engine 522.

The repository 520 may contain structured information in a relationaldatabase element, such as a table. In this example, the table contains arequested URL, i.e., a location resource, to Jane Doe's photos on{webname}.com. The recipient is identified by the useridentification(ID)/user profile used by the messaging application.Identifying factors of the recipient, such as the work email, name, andlocation are noted. However, for the access permission data, the fieldis incomplete and redirected to the {webname}.com API.

The processing engine 522 may note the absence of the access permissiondata of the recipient in the repository 520. The processing engine 522may follow the redirect to the {webname}.com API, e.g. 514. If therecipient johnd is in an office setting but does not have his workemail, johnd@{work domain}, associated with his {webname}.com username,then the {webname}.com API may also receive identifying factors from theprocessing engine 522. The two identifying factors, that the recipient'sname is John Doe, and that his location is Anywhere, Alaska, may be usedby the {webname}.com API to match to a user in the {webname}.comdatabase. The {webname}.com API may be further configured to check tosee if the matched user has access to user Jane Doe's photos.

Assuming that the matched user exists, then the access permission datafor the user profile/recipient is communicated to the processing engine522. The processing engine 522 updates the information in the repository520 and communicates the access permission to a remote computing system.Each API from network-based applications 514 may function in a differentmanner. In various embodiments, a network-based application 514 may notallow queries into whether a recipient is an authorized user withoutcredentials.

FIG. 6 illustrates a flowchart of a method 600 of validating a locationresource for a user profile associated with a recipient, according tovarious embodiments. The method 600 may be for a processing engine on acloud-based computing system such as the processing engine 422 describedin FIG. 4. The processing engine receives a validation request from amessaging application, e.g., email, to validate a recipient. Theprocessing engine validates the recipient within the cloud-basedcomputing system and returns a validation to the messaging applicationon a remote computing system. The method 600 begins at operation 610.

In operation 610, the processing engine receives a location resource anda user profile associated with the recipient. The location resource canindicate the location of a resource of a computer system resource. Forexample, a URL indicates the network address to access a webpage on aserver. The user profile is a compilation of identifying factorsassociated with a particular recipient of a message validation system.Once the location resource and the user profile are received, then themethod 600 continues to operation 614.

In operation 614, the processing engine queries a location resource in arepository. The repository is located within the cloud-based computingsystem and may be a high-speed storage device. In the repository, thelocation resource is identified and along with multiple identificationfactors. Access permission data may also be associated with the locationresource in the repository. Once queried, then the method 600 continuesto operation 616.

In operation 616, the processing engine determines whether the locationresource access permission data exists. The location resource accesspermission data refers to the presence of access permission for thelocation resource. The access permission data refers to the presence ofany data and not necessarily whether a user profile has accesspermission for the location resource. For example, the repository maynot have access permission data associated with the location resource,which would indicate that the processing engine has insufficient data onwhether the recipient has access permission to the location resource.Insufficient data may be different than not having access permission tothe location resource, according to various embodiments. If the locationresource access permission data does not exist, i.e., a non-existence ofaccess permission data, then the method 600 continues to operation 622.If the location resource access permission data exists, then the method600 continues to operation 618.

In operation 622, the processing engine can obtain the location resourceaccess permission data for the user profile. The processing engine canobtain the location resource access permission data by requesting thelocation resource access permission data from a network-basedapplication. The application may be able to obtain access permissiondata for a user profile and be described further herein. Once theprocessing engine requests location resource access permission data,then the method 600 continues to operation 624.

In operation 624, the processing engine can determine if the accesspermission data for the user profile is obtainable. The accesspermission data may not be obtainable if there is no communication withthe application. The access permission data may not be obtainable if theapplication does not allow disclosure of user data. For example, if onlya friend of a user of the application can access the user's photos, thenthe application not releasing a list of friends of the user will makethe access permission for the user unobtainable. The processing enginecan receive the access permission data from the application. The receiptof the access permission data can indicate to the processing engine thatit is obtainable. If the location resource access permission data isobtainable, the method 600 continues to operation 618. If the locationresource access permission data is not obtainable, then the method 600halts.

In operation 618, the processing engine determines whether the accesspermission for the recipient is validated. The access permission isvalidated whenever the recipient has access to the location resource.The access permission may be found in the repository. If the accesspermission is not validated, i.e., the recipient does not have accesspermission to the location resource, then the method 600 continues tooperation 626. If the access permission is validated for the locationresource, then the method 600 continues to operation 620.

In operation 620, the processing engine communicates the locationresource validation to the remote computing system. The remote computingsystem may receive the location resource validation and communicate thelocation resource validation to the messaging application. In variousembodiments, the messaging application may consolidate the accesspermissions for the location resource for a plurality of user profilesfor the recipients of the message.

In operation 626, the processing engine determines whether an alternatelocation resource exist. The processing engine may have to search for analternate whenever the recipient does not have access permission to thelocation resource. The alternate location resource may have the same orsubstantially similar content as the location resource. For example, thelocation resource may be a URL to a shared document. If recipient A doesnot have access permission to the shared document because the shareddocument, e.g., a resume, is owned by owner B with no relationship withrecipient A, then the processing engine can check for an alternatelocation resource. The alternate location resource can be the sameshared document but accessed on a different URL. The owner of the shareddocument with the different URL may be owner C who has a relationshipwith recipient A. Thus, the alternate location resource allows anotherpath to access the shared document.

The alternate location resource may be present in the repository. Thealternate location resource may be found while the processing engine isperforming background operations. For example, the processing engine canscan multiple external databases/applications for documents with thesame filename or metadata. If there is no alternate location resource,then the method 600 halts. If there is an alternate location resource,then the method 600 continues to operation 628. In operation 628, theprocessing engine selects the alternate location resource. Once thealternate is selected, then the analysis of alternate location resourcecontinues in place of the location resource in operation 614. There maybe circumstances where the alternate location resource specified in therepository for a user profile is not actually validated for the userprofile.

Alternatively, once selected, the processing engine can recommend analternate location resource to the remote computing system in operation630. The recommending of the alternate location resource may alsoindicate that the location resource is not validated for the userprofile. The remote computing system can receive the recommendation andpass the recommendation of the alternate location resource to themessaging application.

FIG. 7 illustrates a flowchart of a method 700 for requesting accesspermission data for a user profile accessing a location resource,according to various embodiments. The method 700 corresponds tooperation 622 from FIG. 6. In various embodiments, the method 700concerns obtaining access permission data or requesting the accesspermission data. The method 700 begins at operation 708.

In operation 708, the processing engine can send a request for accesspermission data for the location resource to a network-basedapplication. The application may be accessible via the cloud-basedcomputing system. The network-based application may also be a separatedatabase. Once the request is sent to the network-based application,then the application may process the request for the user profile. Themethod 700 continues to operation 710.

In operation 710, the processing engine can receive identificationfactors necessary for the location resource access permission. Theidentification factors may identify the user to the network-basedapplication. Examples of identification factors include a user name, anemail address, a location, a name, a photo, key, or a combinationthereof. In various embodiments, the identification factors may beaccessible to the application API without credentials for the recipient.In various embodiments, the identification factors are sent along withthe request for access permission data in operation 708. Thus, operation710 and 712 may be considered optional. Once the identification factorsnecessary are received by the processing engine, then the method 700continues to operation 712.

In operation 712, the processing engine can fetch the necessaryidentification factors for the user profile from the repository. Theidentification factors can be stored in the repository and associatedwith the user profile. Once the identification factors are fetched, thenthe method 700 can continue to operation 714.

In operation 714, the processing engine determines whether theapplication recognizes the identification factors. The externalapplication may not recognize the identification factors if theprocessing engine does not receive an answer for the request inoperation 708. In various embodiments, the network-based application maynot provide permissions to queries regarding access permission data.

The external application may not recognize the identification factors ifthe identification factors are not formatted for the application. Thenetwork-based application may only recognize identification factors in aparticular format. For example, if a name is transmitted as John H. Doebut the format for the API is Doe, John H. then the application may notrecognize the identification factor. If the application does notrecognize the identification factor, then the method 700 halts. If theapplication recognizes the identification factors, then the method 700continues to operation 716.

In operation 716, the processing engine can receive the accesspermission data from the application. Once received, then the method 700continues to operation 718. In operation 718, the processing engine canassociate the access permission data with the location resource.

FIG. 8 illustrates a graphical user interface for a messagingapplication, according to various embodiments. The messaging applicationcan be a Multimedia Message Service (MMS) application 800. The graphicaluser interface can communicate the validation determined in FIG. 6 foreach recipient. In a group MMS message 812 to recipient A, recipient B,and recipient C, the sender posts a URL 810. The URL 810 can bevalidated by sending the URL 810 and the user profiles for therecipients to the processing engine in the cloud-based computing system.The processing engine can validate each recipient for access permissionto the URL 810.

As a visual communication, the MMS application 800 can indicate thestatus of the URL by color to indicate a status. Each color may indicatea proportion of recipients that have access to the location resource.For example, a red URL 810 can indicate that fewer than 25% of therecipients will have access permission to the URL 810, a yellow URL 810can indicate that fewer than 50% of the recipients will have accesspermission, and a green URL 810 can indicate that fewer than 75% of therecipients will have access permission.

The MMS application 800 can also indicate the access permission of eachrecipient. For example, the processing engine can validate access forrecipient A and recipient B, but not recipient C. The access permissionof recipient C can be indicated visually by highlighting the recipientin the MMS application 800 with a different color. For example, when arecipient does not have access permission for a hyperlink, then thesender of the message may need to distinguish which recipient does nothave access so that the sender can make special arrangements to providethe content of the hyperlink to the recipient. By having visual cues forthe recipients that have or do not have access permission to thehyperlink, the sender can more easily make the determination.

In various embodiments, the MMS application 800 can also propose analternate location resource. For example, if recipient c cannot accessuser A's photos because recipient C does not have access permission,then the processing engine running on the back-end can determine whichphotos in user A's photos are public and refer recipient C to thealternate location resource.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java, Smalltalk, C++ or the like,and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present disclosurehave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

What is claimed is:
 1. A method comprising: receiving, by a computingnode in a distributed computing environment and from a messagingapplication on a remote client computer, an identifier of a user profileand a location resource that is embedded in a message and that indicatesa path to a computing resource outside of the remote client computer;querying a repository in the distributed computing environment to obtainaccess permission information about the location resource; determining,based upon the access permission information about the locationresource, whether the user profile has access permission for thelocation resource; and communicating the access permission for thelocation resource to the messaging application within the remote clientcomputer in response to the user profile having access permission forthe location resource.
 2. The method of claim 1, wherein determiningwhether the user profile has the access permission includes: determiningwhether access permission data for the location resource exists in therepository; requesting, from a network-based application and in responseto non-existence of the access permission data in the repository, accesspermission data for the location resource; and storing, in response toreceiving access permission data from the network-based application, theaccess permission data in the repository.
 3. The method of claim 2,wherein requesting the access permission data includes: sending requestfor access permission data to the network-based application; providingan identification factor associated with the user profile to thenetwork-based application; determining whether the network-basedapplication recognizes the identification factor; and receiving theaccess permission data in response to the network-based applicationrecognizing the identification factor.
 4. The method of claim 3, whereinsending the request for access permission data to the applicationincludes: sending the request for access permission data to anapplication programming interface of the network-based application. 5.The method of claim 1, further comprising: determining an alternativelocation resource in response to the access permission not beingvalidated; and recommending the alternative location resource to themessaging application.
 6. The method of claim 1, wherein communicatingthe access permission for the location resource includes: communicating,visually, the access permission for each user profile.
 7. The method ofclaim 6, further comprising: determining a proportion of user profileswith access permission; and communicating the proportion of userprofiles with access permission.
 8. The method of claim 6, whereincommunicating the access permission visually includes using colors toindicate the access permission.
 9. The method of claim 1, wherein theidentifier of the user profile includes an email address.
 10. The methodof claim 1, wherein the location resource includes a Uniform ResourceLocator (URL).